generated from bcgov/quickstart-openshift
-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: CE-1078 persist secret content changes between rollouts #698
Merged
Merged
Changes from 13 commits
Commits
Show all changes
18 commits
Select commit
Hold shift + click to select a range
935f1be
test commit
jon-funk 95cc145
test commit
jon-funk 249ef96
Add idir officer name update
jon-funk 3ab9cdc
Add replica config for test namespace workloads
jon-funk 9f60ca7
rollingupdates for test replicas
jon-funk 8d8795f
update chart lock
jon-funk 50e1ae9
annotation sanity check
jon-funk 850c72a
test commit
jon-funk d304f7d
Revert annotation check and allow secrets to persist in PR dev infra
jon-funk 87eb7f9
Revert replica tests
jon-funk 41feeb1
test commit
jon-funk 996f87e
Add labels for cleanup of PR related releases
jon-funk 762d121
Add additional where to update
jon-funk b3b3aba
formatting tidy
jon-funk a49fdf8
trigger pr action
jon-funk 012e984
Cleanup space
jon-funk 8d512a7
Merge branch 'release/lions-mane-jellyfish' into CE-1078
afwilcox 38f1425
Merge branch 'release/lions-mane-jellyfish' into CE-1078
afwilcox File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,3 +19,12 @@ jobs: | |
| with: | ||
| cleanup: helm | ||
| packages: backend frontend migrations | ||
|
|
||
| cleanup-labeled: | ||
| name: Cleanup Labeled Resources | ||
| uses: bcgov/quickstart-openshift-helpers/.github/workflows/[email protected] | ||
| secrets: | ||
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | ||
| oc_token: ${{ secrets.OC_TOKEN }} | ||
| with: | ||
| cleanup: label | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we need this new label?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's so that this label variant of the cleanup action can be re-used here
nr-compliance-enforcement/.github/workflows/pr-close.yml
Line 23 in 762d121
As the helm pr-close here https://github.com/bcgov/quickstart-openshift-helpers/blob/main/.github/workflows/.pr-close.yml#L161 does not allow flag passthrough. Specificaly in this case
global.secrets.persist=falseas the dev team would like secret workloads to persist in their dev environments.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changes to their secret workloads to persist between deployments*
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lets discuss this, as clean up with label will make helm to stick around with secret objects, @DerekRoberts and I can look at the helper function to add in necessary flags as needed or we can add you as a collaborator on those repos :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am sorry.
I misunderstood the change, I see now, that you are cleaning up with helm then with label to make sure the persisted secret is deleted with labels, as helm wont delete them during uninstall
I will keep that into our helper as a backlog item, so we don't do twice cleanups :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jon-funk I would recommend strongly against persisting DEV secrets, since they tend to be abused. Keep them GitHub Actions (or even, yuk, Vault), then populate during PR environment creation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@DerekRoberts @mishraomp - Let me provide a little context as to why we want this change.
Our project has two repositories. This one, and the nr-compliance-enforcement-cm repository that has the case management APIs and data that live in the emerald cluster.
By default the PRs in this repository are pointing to a static version of dev, in our emerald namespace.
However in the event of PRs that require changes both here and for the other repository we will end up needing to overwrite that secret to point to the environment where the other PR is deployed (e.g. dev-4).
The problem is... EVERY single commit on this repository (e.g. bringing PR up to date with the latest changes) will reset that overridden secret back to dev-static, which will usually result in integration tests failing.
As a result whenever changes are made to a PR under review one needs to
Can you provide any suggestions for how we can streamline this that doesn't involve persisting secrets?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lets have a quick discussion on this one over teams, we can have the .deployer.yml in the repo itself and pass in github secrets, which would allow us github secrets as the source of truth , so we can keep a human generated secret in both repos, which can be fed to the pipeline and we don't need to persist secrets across prs or rollouts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jon-funk , lets update the logic here to look for pr specific secret objects, if they exist, read from them, if not read from default, https://github.com/bcgov/nr-compliance-enforcement/blob/main/charts/app/templates/secret.yaml#L5
Happy to have a chat on this over teams
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@afwilcox @jon-funk How about reading secrets from the second repo and synching them over? It'd eliminate a lot of busy work. There are tons of alternatives too, like just plain copying the remote repo's config to GitHub secrets to easily (re-)population. @mishraomp's chat idea works too, since this isn't as easy as we usually see. ;)